CVE-2024-32972 - OpenCVE

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version `1.13.15` and onwards.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/ethereum/go-ethereum/compare/v1.13.14...v1.13.15
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-06T14:26:19.510Z

Updated: 2024-06-04T17:50:49.796Z

Reserved: 2024-04-22T15:14:59.165Z

Link: CVE-2024-32972

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-05-06T15:15:23.130

Modified: 2024-05-06T16:00:59.253

Link: CVE-2024-32972

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32972", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.165Z", "datePublished": "2024-05-06T14:26:19.510Z", "dateUpdated": "2024-06-04T17:50:49.796Z"}, "containers": {"cna": {"title": "go-ethereum denial of service via malicious p2p message", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652"}, {"name": "https://github.com/ethereum/go-ethereum/compare/v1.13.14...v1.13.15", "tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/compare/v1.13.14...v1.13.15"}], "affected": [{"vendor": "ethereum", "product": "go-ethereum", "versions": [{"version": "< 1.13.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-06T14:26:19.510Z"}, "descriptions": [{"lang": "en", "value": "go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in geth version `1.13.15` and onwards."}], "source": {"advisory": "GHSA-4xc9-8hmq-j652", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T19:07:59.118874Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ethereum:go_ethereum:-:*:*:*:*:*:*:*"], "vendor": "ethereum", "product": "go_ethereum", "versions": [{"status": "affected", "version": "0", "lessThan": "1.13.15", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:50:49.796Z"}}]}}